'unsafe-eval'

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Emmker
    Member
    • Nov 2023
    • 98
    #1

    'unsafe-eval'

    Is it safe to remove 'unsafe-eval' from CSP?
    Tags: None
    • Davide Alghi
      Junior Member
      • Sep 2024
      • 15
      #2
      Hi Emmker,

      as far as I know, removing unsafe-eval (and unsafe-inline) is safer, but it may break JS functions like eval() and JS constructors like Function().

      In other words, the unsafe-eval directive allows the 'creation' of methods from strings, so it potentially opens the door to code injection attacks, but removing it may break some JS functions (if in the code)

      In the past I was forced to insert the unsafe-eval and unsafe-inline directives in the Apache VirtualHost because otherwise the web-app did not work correctly.

        Comment

        • yuri
          Member
          • Mar 2014
          • 8951
          #3
          espocrm/application/Espo/Core/Utils/ClientManager.php at 9.1.2 · espocrm/espocrm
          https://github.com/espocrm/espocrm/blob/9.1.2/application/Espo/Core/Utils/ClientManager.php#L108
          EspoCRM – Open Source CRM Application. Contribute to espocrm/espocrm development by creating an account on GitHub.

          Config parameters - EspoCRM Documentation
          https://docs.espocrm.com/administration/config-params/#security


          By adding in the config:

          'clientCspDisabled' => true,

          Note that disabling CSP increases security risks drastically.
          If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

            Comment

            • Emmker
              Member
              • Nov 2023
              • 98
              #4
              Originally posted by Davide Alghi
              Hi Emmker,

              as far as I know, removing unsafe-eval (and unsafe-inline) is safer, but it may break JS functions like eval() and JS constructors like Function().

              In other words, the unsafe-eval directive allows the 'creation' of methods from strings, so it potentially opens the door to code injection attacks, but removing it may break some JS functions (if in the code)
              So, removing the 'unsafe-eval' is not an option here as I understand.

              yuri
              I do not want to disable CSP all together.
              I just have a request from my client to remove 'unsafe-eval' and add base-uri/object-src.
              Is that possible or will it break espo functions?
              Last edited by Emmker; Today, 08:26 AM.

                Comment

                • yuri
                  Member
                  • Mar 2014
                  • 8951
                  #5
                  I encourage to figure out by locking into code. It's been really hard for me to address multiple questions and resolving many issues on daily basis. The product would have been better if I haven't spent a big part of a day answering questions. Open source implies that everyone can look into code and figure out.
                  If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.
                    👍 1

                    Comment

                    • Emmker
                      #5.1
                      Emmker commented
                      Today, 08:48 AM
                      Editing a comment
                      I fully appreciate your work Yuri.
                      Didn't mean to bother you with my questions.
                      Not being a coder myself, is really difficult to review and understand everything here, but I will do my best.

                      Again. Thank you for your time and effort.
                    • yuri
                      Member
                      • Mar 2014
                      • 8951
                      #6
                      I assumed that things like unsafe-eval would rather concern coders. It's impossible to keep everything in memory. Usually, when answering questions I lookup in docs – Espo docs or MDN Web Docs for example.

                      I don't remember how the unsafe-eval parameter behaves. I needed to look up the docs https://developer.mozilla.org/en-US/...al_expressions.

                      It tells that it's opposite – removing unsafe-eval increases security. So the answer is: It's not unsafe to remove unsafe-eval. But if you remove, the application won't work. Usually, large web apps rely on apis that the unsafe-eval enables.
                      If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

                        Comment

                        Previous template Next
                        Working...